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ABSTRACT 


In  a  i>in;ny-soar(  lv  al^ovit.liin  for  Hu*  compntatiou  of  a  numerical  f\inction,  the  interviU  in  wliich 
tlie  (l«‘sir<'<l  output  is  soiij'ht  is  divided  in  Inilf  at  each  itiTatiou.  The  paper  considers  how  such 
alf'orithms  niij'ht  he  derived  from  tlieir  speeilications  by  an  automatic  pro};ram-syntli<>.sis  system. 
Tin'  ill-rival  ion  of  t  lie  hinary-si-arch  concept  h.us  be<m  found  to  be  .surprisingly  straightforward. 
The  iirograms  oblaiued,  thoiigh  reasonahly  simple  ami  elKcic-nt,  an-  (piite  dilferi-nt  from  those-  that 
would  have-  bee-n  con.striicteel  by  informal  means.  ^  ^  > 

Key  Words:  i)rograin  sj(nthosis(  tluWircmrproving,  binary  se-aich,  n-al  square  root  ^ 

^  V  _ 


INTRODUCTION 


Souk-  of  the  most  (-llirii-nt  algorithms  for  the  computation  of  numerical  functions  roly  on  the 
ti'chuiiiue  of  hinanj  svdrrk:  according  to  tleis  technique,  the  inlerval  in  which  the  desin-d  output  is 
sought  is  divided  in  half  at  each  iteration  emtil  it  is  sinalU-r  than  a  given  toh-ranco. 

For  example,  let  us  consider  the  following  program  for  finding  a  real  immber  approximation  to 
the  square  root  of  a  nomu-g.ir.ive  real  numlu-r  r.  The  program  sets  z  to  be  within  a  given  positive 
tolerance  <  less  than  y/r. 

2  ♦-  0 

n  I—  Truix(r,  1) 

while  (  <  XI  do  v  «—  v/2 

if  [z  +  o]’  <  r  then  z  z  v 

return{z) 

This  is  a  classical  square-root  pro-'ram  based  on  one  that  .ippeared  in  VVensley  [.in].  Tin-  program 
esiablislies  and  mainlaius  the  loop  invariant  that  z  is  wilhiu  n  less  I  han  y/r,  i.e.,  that  y/r  belongs 
to  the  half-oiu’ii  interval  \z,  z  bx>)-  At  each  iler.ilion,  the  program  divides  t  his  interval  in  half  and 
tests  whether  y/r  is  in  the  right  or  left,  half,  adjusting  z  and  n  aecovilingly,  mvtil  n  is  smaller  than 
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the  {'iven  tolerance  c.  The  program  is  roasonahly  elHcieiit;  it  t<>rrniuales  after 
iterations. 

Analogous  programs  provide  an  efficient  means  of  rt)mputing  a  vari<'ty  of  numeric  al  functions. 
It  is  uot  immediately  obvious  how  such  programs  can  be  developed  by  aniomatic  program-synthesis 
systems,  which  derive  i)rograms  to  me<>t  given  specifications.  Some  rescvircluTs  (e.g.,  Der.showitz 
and  Miuma  (77).  Smith  [85])  have  suggc'sted  that  syutlu-sis  systems  be  provided  with  .sc'venJ  general 
I)rogram  sclu'inata.  which  could  bo  specialized  as  rc'ctuired  to  fit  particular  ai)plicat.ions.  Binary 
search  would  be  one  of  tlu'se  schemata.  The  .system  would  be  required  to  di.scover  which  schema, 
if  any.  is  applicable  to  a  new  i)roblem. 

It  may  iinU'cd  be  valualile  to  provide  a  synthesis  .systenu  with  general  sclu-mata,  but  this 
approach  leaves  open  tln^  ((iiestiou  of  how  such  schemata  are  discovc'red  in  the  lirst  place.  To  our 
surprise,  we  liavc'  found  tliat  the  concept  of  binary  s<-arch  emerges  <iuil.e  naturally  and  cvisily  in 
th('  derivations  of  some-  uiiiiK'rical  programs  and  dcjes  uot  uoc'd  to  be  l)uilt  in.  Tlu'  programs  we 
have  obtained  in  this  way  are  n-asouably  siiiiph*  and  eHicic'ut,  but  bizarre  in  appearance  and  (piite 
ditfen'ut  from  those  we  would  have*  constructed  by  informal  means. 

Tlu'  programs  have  bc'c'u  (h-rived  in  a  di'ductive  framework  (Manna  and  Waldiuger  [80|,  [85]) 
in  which  the  procc'ss  of  constructing  a  program  is  regarded  as  a  task  of  proving  a  mathematical 
theon'iu.  A<  cordiug  to  this  approach,  the  program’s  spi'cifi<;itiou  is  |>br;ise<l  as  a  theorem,  the 
tln'orem  i.*  proved,  and  a  i)rogram  guaraute<sl  to  m<'<'t  the  sp('cificatiou  is  extractcid  from  the 
proof.  If  tlu'  spc'cificaliou  refh'cts  our  intt'iitions  correctly,  no  further  verification  or  testing  is 
r<'<iuired. 

In  this  paper  we  outline  our  <ledu<  tive  framework  and  show  the  deriv.itiou  of  a  tmtuerical 
program  up  to  the  point  at  which  the  binary-.search  cotic«;pt  (iiK'rges.  We  tlu'U  .show  several 
analogotis  unary-search  progratus  that  hav<'  fxs'u  <lev(doped  by  this  iiK'thod.  Finally  we  discuss 
what  tlu'se  limlings  indicate'  about  the  prospects  for  automatic  program  synthesis. 


DEDUCTIVE  PROGRAM  SYNTHESIS 

In  this  si'ction  we  des<ribe  our  framework  for  deductive  i)rogram  .synthesis,  emphasizing  those 
asp(rts  that  are  essential  for  the  deriv.atiou  fragment  that  appears  in  this  papc'r.  Rc'aders  who 
would  lik<'  a  fulh-r  introduction  to  this  approach  .ire  referred  to  Manna  and  W.ildinger  ([80],  [85]). 

We  begin  with  an  outliiu'  of  the  logic.il  concepts  w«'  sh.'ill  need. 


LOGICAL  PREREQUISITES 

The  system  deals  with 

•  fcrm.i  composed  [in  t  he  usn.al  w.iy)  of  constants  a,  5,  c,  . . .  ,  vari.-ibles  u,t;,w,  . . . , 
function  symbols,  and  the  condilion.il  (if-then-eluc)  term  constructor. 

•  ntornit  composi'd  of  ti'inis,  relation  (pnulicate)  .sytnbols,  including  the  equality 
symbol  =,  and  the  truth  .symbols  trnr.  and  fiiLte-, 


•  sentences  composi'd  of  atoms  and  logical  connectives. 


Sentences  are  (luantifier-frcH!.  We  sometimes  use  infix  notation  for  function  and  relation  sym¬ 
bols  (for  <!xainple,  i  -h  o  or  0  <  j/).  An  expression  is  a  term  or  a  s<'ntence.  An  expn'ssion  is  siiid 
to  be  ground  if  it  cout.uns  no  variabl<-s.  Certain  of  tlu?  symbols  .u’c  dc'clared  to  be  prinnlive\  tliese 
are  the  computable  symbols  of  our  i)rograinming  language. 

L<'t  c,  s,  iuid  I  be  expr<'ssious,  where  s  and  t  are  either  both  .sentences  or  both  t«Tins.  If  we 
write  e  <is  e(s),  tlieu  c[t]  denotes  tlu*  residt  of  rephu'ing  every  occurrence  of  »  in  c(.s|  with  t. 

W«‘  loosely  follow  the  b'rminology  of  Robinson  (79).  We  (h'liote  a  substitution  0  by  {xi  ♦— 
t\,X2  ♦—  <2-  •  ■  ■  For  ;u»y  expression  c.  the  expression  tO  is  the  rt'sult  of  applying  0  to  e., 

obtaiiu'd  l)y  simultaiu'otusly  re]>la<'iug  <'v<;ry  occurrence  of  the  variable  i,  in  c  with  the  corrt'sponding 
term  t,.  We  shall  also  say  that  t:0  is  an  instance  of  e. 

VariabU's  in  s<'ntencc8  are  given  an  implicit  universal  quantification;  a  sentence  is  trm?  under 
a  given  inf»'rprelaf  ion  if  and  only  if  every  instaina*  of  the  sent<‘uce  is  true,  and  if  ;uid  only  if  every 
ground  instance'  of  the  .se-nlence  (i.<'.,  an  instance  that  contains  no  variables)  is  true. 

Let  e,  .s,  and  t  be  expressions,  where  .•*  and  t  are  either  both  sente'iices  or  both  te'rins,  and  let 
0  b«'  a  substitution.  If  we  write'  e  then  cftjt]  eU'iiote^s  the'  re'sult  of  re-plaeing  e!ve?ry  eeercurrence 

e)f  sO  in  cO  with  t. 

We  neiw  de'se  ribe  the  beisic  tuitions  of  el<?due:tive  program  synthesis. 


SPECIFICATIONS  AND  PROGRAMS 


A  spe'cifie'atiein  is  a  state'iiu'iit  eif  the  purpose  of  the  ele'sire'el  preignviu,  which  ne'e*el  give  no 
iuelicatiem  eif  the  iiietheid  by  wliieh  that  purpose  is  te>  be  achii've'el.  In  this  paper  we'  consider 
only  applicative  (eir  functional)  preigr.itus,  whieh  yielel  eui  eiutput  but  alte'r  ne>  elatn  structures  and 
proelueo  i\o  eithe-r  side'  e'tfe'cts.  The'  specifications  for  tlu'se  ]>re>granis  have*  the'  form 

/(a)  find  z  sue  h  that  ^[a,  z] 
wlu’re  P(a]. 

In  eithe-r  weirels.  the-  program  /  we  want  tei  conslrnct  is  to  yie'lel,  feir  a  give'ii  input  a,  an  output  z 
satisfying  the-  output  condition  .^[ei.  z],  proviele'el  that  the  input  a  salislies  the'  input  condition  P\a]. 
In  either  weirels,  z  is  to  satisfy  the  input- output  e-onelition 


if  P\a\ 
then  jj[ei,  z). 


Feir  e'xample,  suppose'  we-  want  te>  spe-e’ify  the'  progr.iin  sqrt  to  yielel  a  re'al  muube'r  z  that  is 
within  a  give'ii  teile'rance'  e  le'ss  than  y/r,  the  e'Xiu  t  sepeare  reieit  eif  a  given  neiiuu'galivc  real  nuinbcr 
r.  Tlu'u  we  might  write  _ 


n 

n 


sqrt[r,  ()  <f=  linel  z  such  that 

z^  <  r  and  not  [(^  -t-  e)*  <  r] 
whe’re  0  <  r  and  0  <  c. 


Availability  Codes 
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Ill  other  words,  we  want  to  find  an  output  z  satisfying  the  output  condition 


<r  and  not  [(z  +  c)*  <  r], 

provided  tiiat  tlio  inputs  r  and  c  satisfy  tin;  iiiptit  condition 
0  <  r  and  0  <  c. 

The  al»ov<;  s<]iiar('-r()ot  spc'cification  is  not  a  program  and  does  not  indicate  a  particular  method 
for  conipiitiiig  tlii'  squan-  root ;  it  <l«'scril><‘s  the  input-output  behavior  of  many  programs,  ein]>loyiug 
dillVreut  algorithms  and  perliaps  producing  dilferent  outputs. 

Tlie  programs  we  consider  are  sets  of  <'xpressions  of  the  form 
li  (n)  ^  ti, 

when'  ti  is  a  primitive  term,  i.e.,  oiu'  expn's.secl  entirely  in  the  vocabulary  of  our  progratnming 
lang)iage.  These  programs  can  he  nmtnally  recursive;  i.e.,  we  regard  tin?  function  symbols  /,  as 
primitiv<'.  In  the  usual  way,  such  a  program  indi<  ates  a  method  for  computing  an  output.  For  the 
most  j)art,  in  this  paper  we  shall  consider  jirograius  consisting  of  oidy  a  single  exi)rcssion  /(a)  <=  t, 
which  may  be  recursive. 

In  a  givc-n  theory,  a  program  /  is  .said  to  satisfy  a  speciHcation  of  the  abov<'  form  if,  for  tuiy 
injnit  n  satisfying  the  input  condition  P[n],  the  program  /(«)  terminat<'s  and  produces  an  output 
t  satisfying  the  output  condition  P.[a,  t\. 


DEDUCTIVE  TABLEAUS 


Th<’  fundaiiK-ntal  st  ructure  of  our  .system,  the  de«luctivi'  tabh'au,  is  a  set  of  renw,  each  of  which 
must  contain  a  s<’nteuce,  <'ith<'r  an  assertion  or  a  tjoal\  any  of  these  rows  may  contain  an  expression, 
the  output  entry.  An  exampU'  of  a  tableau  follows; 


as.sertions 

goals 

outputs 

/(«) 

P\a\ 

^(a,  z] 

z 

«/  V(»i) 

then  U[w,  Oj 

</(«) 

0 

H(;rc  u  <and  z  are  Viariabh's  and  a  tuid  0  are  constants. 


llmh'r  a  given  intc'rpretation,  a  tableau  is  true  whenev('r  the  following  condition  holds: 

If  all  instanc«'s  of  each  of  tin*  assertUms  are  true, 
then  some  insi  ance  of  at  le.ist  one  of  the  govds  is  true. 


EqiiivaU'iiMy,  tlu'  lahlcvm  is  tnu'  if  s<ni)f*  instiuici*  of  at  h'ast  oiu;  of  the  Jisscrtioijs  is  falso  or  some 
instance  of  at  le.ust  one  of  the  goals  is  true.  Thus,  the  above  tabh'au  is  true  if  P[a\  is  false,  if 


«/ 

then  .^[6,  0| 

is  false,  if  ,?[«,  c|  is  true,  or  if  ^('0  is  true  (among  other  i)ossil)ilities). 

In  a  giv('n  theory,  a  tableau  is  .said  to  l>«>  valid  if  it  is  true  under  iuiy  niod(?l  for  the  tlu'ory. 
Under  a  giv('n  interi>retation  and  for  a  given  .speeificaticju 

/(«)  find  z  such  that  P.[a,z\ 
where  P[a\, 

a  goal  is  said  to  have'  a  nuitahlc  output  entry  if,  whenever  an  instance  of  the  goal  is  trne,  the 
eorrt'sponding  instance  t'  of  tln^  ontjuit  «'ntry  will  satisfy  the  input-output  condition 

«/  P[n] 

then  jl[a,  t'\. 

(If  the  goal  has  no  exi)licit  output  entry,  then  it  is  said  to  have?  a  suitable  output  entry  if,  whenever 
an  instauci!  of  the  goal  is  true,  any  term  I'  .satislies  the  input-output  condition.)  Aji  assertion  is  said 
t»)  liave  a  suitabh'  output  entry  if.  wlienever  .ui  instance  of  the  assertion  is  false,  the  corresponding 
instance  t'  of  the  outjnit  entry  will  .sati.sfy  the  input-OJitpnt  condition. 


Example 

In  the  theory  of  tlu'  real  numbers,  .oiisider  the  squari'-root  s[>eciiication 

»qrt(r,()  <=  find  z  such  that 

z"^  <  r  and  not  [(j  +  c)*  <  r] 
where  0  <  r  and  0  <  c 


aiul  the  following  tableau: 


assertions 

goals 

oiitputs 
.sr/rt(r,  f) 

1.  0  <  r  and 

0  <  ( 

2.  z^  <  r  and 

not  [(z  -1-  »)*  <  r] 

z 

3.  not  (c*  <  rj 

0 

This  tableau  is  valid  in  the  tln'ory  i>f  real  nunilxTs,  Ix'cause,  under  any  modc'l  of  the  tlu'ory, 
either  the  as.sertion  (whi<  h  has  no  variabh-s)  is  f.ilse  or  ,s<uiu'  iuslance  <*f  one  of  lh<'  two  g<»als  is 
true.  (In  particidar,  the  instance  of  goal  2  obtained  by  taking  z  to  be  y/r  itself  is  true.) 


6 


Undt'r  any  niod(>l  for  the  theory,  tlu;  output  <aitries  of  the  above  tableau  arc*  suitable  for  the 
aquanvroot  specification.  In  particular,  if  sonic  instance  of  goal  2,  obtained  by  replacing  z  with  a, 
is  true,  then  a  will  satisfy  th*'  input-output  condition.  That  is, 

1/  0  <  r  and  0  <  c 

ihtn  a®  <  r  mid  n»t[(.s  -t-  <)*  ^ 

is  true.  Also,  if  ;us.sertion  i,  which  has  no  output  entry,  is  false,  tlu'n  any  term  a  .satisfies  the  above 
condition,  j 

Under  a  given  interiiretation  I  and  for  a  given  spe«  ili<ation,  two  tableaus  Ti  and  T2  have  the 
same  maininij  if 

Ti  is  true  luuh'r  I 
if  and  only  if 
Ta  is  true  und<T  I 


<uid 


the  output  entries  of  Ti  are  suitable 
if  and  only  if 

tlic  output  <'ntri<'s  of  Ta  are  suitable. 

In  a  given  tln'ory  mid  for  a  given  specification,  two  tableaus  are  equivalent  if,  under  any  model  I 
for  the  theory,  tlie  meaning  of  the  two  tabh'aus  is  the  same. 


PROPERTIES  OF  A  TABLEAU 


Let  us  considiT  a  particular  tlieory  and  la  p.irticular  specilicalion,  which  will  both  ri'inain  fixetl 
throughout  Ibis  discussion.  We  shall  nsr*  the  following  projierties  of  a  tableau: 

•  Duality  Property 

Any  tabl<>au  i.s  <-(|ui  valent  to  the  one  obtained  by  rc'inoving  an  assertion  and  adding  its  negation 
as  a  lU'W  goal,  with  the  same  output  <-ntry.  Similarly,  any  tableau  is  eiinivalent  to  the  one  obtained 
by  removing  a  goal  mid  adding  its  negation  as  a  new  as.sertioii.  Thus,  we  could  manage  with  a 
system  that  has  no  goals  or  a  system  that  has  no  assertions,  but  I  he  disliiicliou  betwi'en  assertions 
and  goals  does  have  some  intuitive  signiticance. 

•  Itenarninij  Property 

Any  tableau  is  erpiivah'nt  to  the  one  obtiviiied  by  systematically  ri'naming  the  variables  of  any 
row.  More  i)r«*cisely,  we  may  replace  any  of  the  variables  of  the  row  with  new  variables,  making 
sure  that  all  occurrences  of  the  .same  variable  in  the  row  (including  those  in  tin'  output  entry) 
are  replaced  by  the  same  variable  ami  that  distinct  variables  in  the  row  are  replaced  by  distinct 
variables.  In  other  words,  the  variables  of  a  row  are  dummii'S  that  may  Ix'  nmamed  fnsdy. 


•  Instance  Property 


Any  tableau  is  equivalent  t«)  tlu^  one  obtained  by  intru<luring  iis  a  new  row  any  instance;  of 
iui  existing  row.  The  new  row  is  obtained  by  n-phicing  all  occurrences  of  certain  variable's  in  the 
e;xisling  re)w  (inclueling  those  in  the'  output  entry)  with  terms.  Note  that  the  e'xisting  row  is  not 
re'i)lae  e'eJ;  the  ne'W  euie  is  simply  addl'd. 


THE  DEDUCTIVE  PROCESS 


(%)iisieler  a  iiartieular  theory  ami  the  spe'eification 

f(a)  <■  line!  z  such  that  R\ti,  z\ 
where  P\a\. 

We  form  the  initial  tableau 


Jis.se'rtiejus 


We'  may  also  include'  in  the  iiiitial  tabh'au  (as  an  4us.se'rtie)n)  any  valid  sentence'  e)f  the  thee)ry. 

Note'  that  the'  <»utput  e'litrics  of  this  tabh'au  are  suitable;  Uneh  r  any  luexh'l  fe>r  the  the'ory,  if  the 
initial  asse'rtion  .P((i|  is  false,  then  any  output  satislie's  the  iniuit-euitpeit  cemdition  vae  ue)usly;  and 
if  SOUK'  instance'  <]  e)f  the'  initial  ge)al  is  true,  the  e'e)rr<'s|)e>n()iug  instiinee  t  of  the  asse>ciateel 
exit  put  e'utry  satislie's  the  input-output  cemeliliem.  Furthe'rmeere,  the  valiel  sentences  inclueU'd  sue 
initial  {issertions  <'anne)t  be'  false'. 

We'  alte'tnpt  to  show  that  the'  aliove*  tabh'au  is  valid.  We'  proe'e'e'el  ley  applying  eh'elue’tion  rule's 
th.it  ;iehl  ne'W  reiws  wit.heeut  cluuiging  the'  tabh'au’s  iiu'aning  in  any  meeelt'l  for  the*  tlie'eery.  In  either 
words,  uneh  r  a  give  n  meieh'l,  the'  tabh'au  is  true'  be-feue  apjdie  atiem  eef  the'  rule'  if  anel  eeidy  if  it  is  true 
afte'rwarels,  anel  the'  output  e'litrie's  are'  suitable'  Ix'feere  if  anel  emly  if  the'y  are'  suitable  afte'i  w.irds. 
We'  eh'seribe'  the'  (h'eluctiem  ride's  in  the  next  se'ctieui. 

The'  eh’eluctive'  preici'ss  eemtinue's  until  we  eibtain  e'ithe'r  eef  the  two  reiws 


wlie're  the'  output  entry  I  is  jirimitive',  i.e;.,  cxpre'sse'el  e'utirely  in  the  veicabulary  eif  e»ur  programming 
language.  (We-  re'garel  the  input  constant  et  anel  the  function  syinbed  /  ;is  primitive.)  At  this  peiiiit, 
we*  eh'rive*  the  preigi-eim 
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Wp  claiiu  that,  t  satisfies  the  j'iven  spccificatitm.  For,  in  applying  tiip  (lodiu  tion  rules,  we  liave 
guaranteed  that  the  new  output  entries  iire  siiit.abh*  if  the  earlier  output  entries  are  suitable.  We 
have  seen  that  the  initial  output  entries  are  all  suitable;  therefore,  the  fin^il  output  entry  t  is  also 
suitable.  This  means  that,  under  any  model,  if  the  final  goal  true  is  true  or  the  fiiud  a.ssertion  Jabe 
is  false,  th<-  corrcsptmding  output  entry  t  will  satisfy  the  input-output  condition 

»/ 

then  jl\a,  t]. 

But  under  any  model  the  truth  symbols  true  and  fabc  are  true  and  falst;,  respectiv«'ly,  iuid  hence 
/  will  .satisfy  the  iup>it-out[mt  condition.  Therefore,  the  program  /(«)  <r-  t  does  satisfy  the  spwi- 
fieation. 


THE  DEDUCTION  RULES 


We  now  infrodu(<'  the  (h'duction  ndes  of  our  system,  <‘mphasizing  those  that  play  a  role  in  the 
I)ortions  of  the  sipiare-root  derivation  we  present.  W(?  begin  with  the  simjdest  of  the  rules. 


THE  TRANSFORMATION  RULES 

Th<’  transformation  rtdi's  replace  .subexpressions  of  an  <iss('rtion,  goal,  or  output  entry  with 
e<iual  or  <’<)ui valent  expressions.  For  instmure,  with  the  transformation  rule 

P  and  true  — ►  P , 


we  can  n';)la<'e  the  subsiuitence  ((A  or  D)  and  true)  with  (A  or  B)  in  the  ass(<rtion 


«  -(-  u  — ►  2«, 

we  can  replace  a  subterm  («  -f  h)  -f-  (o  -f  b)  with  the  term  2(a  -I-  6). 

W('  use  an  asnociativc- commutative  tiiatching  algorithm  (rf.  Slickel  [SI]),  so  that  the  associa- 
tiv<'  and  coininiitative  properties  of  op<Talors  c.in  lu*  taken  into  account  in  ap])lying  the  trtiusfor- 
mation  ruli’S.  Thus,  we  can  use  the  above  rules  to  replace  a  .s>d».si  ut»'nce  [true  and  li)  with  the 
sentence  U  and  the  sid»t<’rm  [a  -t-  h)  H-  h  with  the  Utiii  «  I-  2b. 


Wf  iiultuli'  a  coiiiplrte  st'l  of  tTuc-fain.  transformation  rules,  such  as 


not  false  — ►  true 

if  P  then  false  — ►  not  P. 


R(  ])('at('(l  ipplicatiou  of  tliese  rules  can  eliniinate  from  a  tableau  row  any  occiirreure  of  the  trutli 
symbols  true  ami  false  as  a  proj>er  subsentence. 

The  soumlu('ss  of  the  transformation  rub's  i.s  evident,  .since  each  produces  an  <'xpression  ('(piiv- 
ab'iil  or  ('([iial  (in  the  tb('ory)  to  the  one  to  which  it  i.s  apj)lied. 


THE  RESOLUTION  RULE:  GROUND  VERSION 


Tlu'  resolution  rub'  corn'spomls  to  ciuu'  analysis  in  informal  reasonitif'.  Wt'  first  j)reseiit  the 
ijronnd  uersion  of  tlu'  mb',  which  applies  to  {'omiul  goals.  We  express  it  in  t.lu'  fo!lowic;g  notation: 


assertions 

goals 

outpuits 

fin) 

m 

if 

m 

t 

7[true) 

if  P 

and 

then  a 

$\false\ 

else  t 

In  otlu'r  words,  su|){)ose  oiir  tableau  contains  two  ground  goals,  T  and  p,  whose  (uitput  etitrics 
are  s  and  t.  respectively.  Suj)pos('  further  that  T  atul  0  hav«'  a  common  suh.sc'iitence  P.  Then 
we  may  d«'rive  amt  add  to  our  tableau  the  )u'w  goal  obtained  by  repbu'iug  all  occurvetict's  of  P  in 
/  with  Irne,  replacing  all  occurreuct's  of  P  in  ^  with  false,  and  roriuing  the  conjunct  ion  of  the 
results.  Tlu'  output,  entry  associat('d  with  the  (b'l'ivc'd  goal  is  the'  comlitioiial  exiu’t'ssion  whose  I.est 
is  the  common  subexpression  P  and  whose  t/icn-claiisc'  anil  (.'/.sc-i'lause  are  the  onfi)ul  entries  .s  and 
t  for  7  ami  C,  respi'i't  ively.  IJecansi'  thi'  re.solutiou  rule  always  int  roduces  occurrences  of  the  truth 
symbols  Irne  and  false  ;is  [iropi'r  subsenteni'es,  we  can  immc-'liati'ly  apply  true-false  transformation 
rules  to  till'  derived  goal. 


For  exani|)le,  suppose  our  tableau  contains  the  rows 


assi'rtious 

goals 

out  puis 

f(n.  I>) 

[  }i(n,  h)  ]  and  (i(a) 

a 

not  i^if  r(b)  then  p(a,  h)  ) 

h 

Tliese  goals  have  a  common  sidisentence  p(n,  h),  indicated  by  lioxi's,  Therefore  we  may  derive  and 
add  to  our  tabb'au  the  lu'W  goal 


true  and  q[a) 

if  p[a,  b) 

and 

then  a 

not  (^if  r[h)  then  fabe) 

elne  b 

By  repeat ('u  applicatioti  of  transformation  rules,  this  ^oal  reduces  to 


f]{a)  and  r(6) 


if  p(a,  h) 
then  (I 
clfie  b 


If  OIK-  of  tli(>  give'll  goals  lias  no  output  e-utry.  tlu'  (Irrivcil  output  entry  is  not  a  conditional 
expression;  it  is  sini[>ly  the  output  entry  of  tlie  other  given  goal.  If  neither  given  goal  has  an  output 
('iitry,  the  deiived  goal  has  no  outjuit  entry  eitlu'r.  W'e  do  not  reepiiri'  that  the  two  givi'ii  goals  he 
distinct;  we  may  apjily  the  rule  to  a  goal  and  itse'lf. 

VVi'  have  jiresenti'd  the  n'sohition  rule  as  it  ajijdii's  to  two  goals.  According  to  the  duality 
ju’oju'rty  of  tahleaus,  however,  w<'  may  transform  an  assertion  into  a  goal  siinjily  hy  negating  it. 
Then'fore,  we  can  aj){)ly  the  rule  to  an  ass<'rtion  and  a  goal,  or  to  two  assertions. 

The  resolution  rule  may  he  r<>slrict<'d  hy  a  poluril]/  .striitajy  (Murray  |82];  si'e  also  Manna  aiul 
Wahhngi'r  |8(lj),  according  to  which  we  need  not  ap]>ly  tin'  ruh'  unh'ss  some'  occurri'iice  of  P  in 
7  is  “positivi'"  and  sonu'  occurri'iice  of  P  in  Q  is  "in'gative” .  (Hc're  a  snlisi'iitence  of  a  tahh'au  is 
ri'gardi'd  as  fiositive  or  lu'gativi'  if  it  is  within  the  scojie  of  a  resju'ctivi'ly  evi'ii  or  odd  numher  of 
negation  coimectivi's.  Each  assr'rt.ion  is  cousidi'red  to  In'  within  tin'  .scopi'  of  an  inijiiicil  negation; 
thus,  whih'  goals  art'  positivt',  asst'rtious  art'  negative'.  I'ht'  i/-claust'  P  of  a  suhst'iiti'iict'  [if  P  then  ij) 
is  considert'd  to  ht'  within  tin'  sctipt'  tif  .an  atlditional  implicit  nt'gation.)  This  stratt'gy  allows  us  tt> 
tlisregard  many  ust'lt'ss  ajijilications  tif  tin'  rule. 

Let  us  sliow  that  the  rt'solutitin  ruh'  is  souinl;  that  is.  in  a  givt'ii  modt'l  t>f  the  theory  anti  ftir  a 
givt'i’  spi't-ilit  ation,  I  In'  mt'aiiing  of  the  lahleau  is  the  .same  before  and  aflt'r  ajiiilical  ion  of  tlie  rule. 
It.  actually  snllices  tt)  sliow  tliat.  if  Hit'  tlerivt'd  gt»al  is  l.rin',  Iht'n  at  least  tme  t)f  Hit'  givt'ii  goals  is 
true;  anti  if  Iht'  givt'ii  output  t'litrit's  art'  siiitahlt',  so  is  tin'  dt'rivt'tl  out.]>nt  t'utry. 

Suppost'  Hit'  tlt'rivt'd  goal  (T[triie\  and  ^[/rt/.fcj)  is  triu'.  Then  both  its  ronjiincls  Jjtrnr)  .and 
^Ifalsc]  iiri'  true.  Wt'  distinguish  hetwt'en  two  cases,  tlepeiiding  on  wlit'lhi'r  or  not  tin'  ctnnnnni 
siihsentf'iict'  P  is  Iriit'  or  falst'.  In  Hit'  c.ise  in  wliich  P  is  true,  tin'  |grouud]  go.’il  7{P\  has  the  stunt' 
truth-value  <as  tin'  coujimcl  /[/ritcj;  that  is,  7[P]  is  Iriit'.  In  Hit'  c.ise  in  which  P  is  lalst',  tlit'  gt).al 
9\P\  has  Ihe  saint'  Irulh-value  as  the  coniunct  I  hat  is,  Q\P\  is  triU',  In  I'ither  ca.st',  out' 

tif  Hie  two  given  go.als,  7\P\  and  ,^[.^1,  is  true. 

Now  assiimt'  th.at  Hit'  givt'ii  output  t'litrit's  art'  siiitahlt'.  To  show  that  tlit'  tlt'rivi'il  output  entry 
is  snitahle,  wt'  suppost'  that  the  tlt'rivetl  gtial  is  Iriit'  aiitl  t'stahlisli  that,  the  tleriveil  output  entry 
salislit's  tilt'  iii[)ut-t)utput  ctnitlil ion.  Wt'  li.avt'  st't'ii  that,  in  Iht'  cast'  in  wliitli  P  is  Iriit',  the  givt'ii 
goal  7[P\  is  tint';  ht'caiist'  its  output  t'litry  .s  is  siiil.dilt',  it  satislit's  tin'  input-oul put  ctniilition. 
Similarly,  in  tin'  cast'  in  which  P  is  falst',  the  term  t  .satislh's  the  inpiil-tuitput  ctnnlitioii.  In  either 
c.ast',  thi'refort',  tht'  ctiiulil  ioiial  t'xprt'ssitiii  [if  P  then  .s  e.he.  1)  s.il  islit's  Hit'  injuit-oul  [uit  ctintlit.ion; 
hut  this  is  Hit'  tlerivt'tl  output  t'litry. 


THE  RESOLUTION  RULE:  GENERAL  VERSION 


W<‘  have  (li'scrilx'd  tlio  f^roiiiul  version  of  the  resolution  nile,  wliich  applies  to  g(jals  with  no 
variables.  W('  now  j>reseiit  tin-  j^eneral  version,  wliich  applies  to  j^oals  with  variables.  In  (his  case, 
we  can  a])i>ly  a  substitution  to  the  goals,  as  neces.sary,  to  creati-  a  coniinon  subsi'iiti'iice. 


assert  ions 


outputs 

I[n) 


gO\{alx< 


then  tiO 
else  to 


More  precisely,  supposi’  our  tableau  contains  goals  J  and  Q.  which  have  no  variables  in  common. 
(This  can  be  ensured  by  renaming  the  variables  of  the  rows  as  necessary,  according  to  the  renaming 
property  )  .Supposi-  further  that  sonu'  of  the  subsentences  of  7  and  some  of  the  subsi'iitmices  of  Q 
are  unifiable,  witli  a  most-general  unilier  0\  let  PO  be  tlu'  unilit-d  subsentence.  Then  wc-  may  dc'rive 
and  add  to  our  tableau  the  new  goal  obtaiiu'd  by  r<-i)lacing  all  occurrences  of  PO  in  70  with  true, 
replacing  all  oci  urrences  of  PO  in  00  with  false,  and  forming  tin'  conjunction  of  the  results.  The 
associated  ont[)ut  c'ntry  is  a  conditional  expression  whose'  test  is  the'  iinitie'd  subse'utene'e'  pO  and 
whose'  //ie.'re-e  lause  anel  else-eUmav  are'  the*  e'orre'spenieling  instances  ,s0  aiul  tO,  re'spe'cl ive'ly,  e)f  the 
given  eintput  entrie's. 

In  other  words,  to  ajiply  the'  genenal  ve'rsion  e)!  the  rule'  to  7  and  we'  apply  the  gronnel 
ve-rsion  of  I  he-  rule  to  70  and  OO.  The'  se>nnehi<'s.s  of  the'  ge-neral  version  follows  freun  the'  soundne'ss 
of  the'  gronnel  ve-rsioii.  The'  polarity  strategy  applii's  as  before.  If  we  wish  to  ajiply  the:  rule'  te)  an 
asse'ition  and  a  goal  or  to  two  asse'rtions,  we'  ean  re'gard  the;  asse-rtions  as  goals  by  ne'galing  Ihe'in, 
as  in  the'  gronnel  e'ase'. 

Feir  I'xaniple',  suppose-  emr  tabh-an  eenitains  the  row.s 


asse-rtienis 


?/  'I 

not  [y  T  l>  <  ejj 

lilt) 


The  siibsi'utc'iicps  an;  resp<-ctivcly  positive  and  rie};<U've,  as  indii  atcil  by  tlie  annotation.  We  may 
regard  the  assertion  as  a  goal  by  negating  it.  Dy  aj)plicatioii  of  the  general  v<'rsion  of  the  resolution 
rule,  wc  uiay  derive  the  new  row 


By  th('  application  of  t.ruc-fatae  transformation  rules,  this  goal  r(;iluees  to 


Note  that  the  unilier  0  has  been  ai)i)lii'd  to  all  variables  in  the  given  rows,  inehidiug  those  in  the 
output  entry.  Bc'cau.se  the  given  assertion  h.us  lu)  output  entry,  tlie  derived  output  entry  is  not  a 
conditional  expression.  This  a{)pli(:al ion  of  the  r>de  is  in  acconlance  with  the  polarity  strategy. 


The  rc'sohition  nd('  and  the  true-false  transformation  mh>s  have  been  shown  by  Murray  [82|  to 
constituti'  a  comph'te  system  for  Krst-order  logic.  Th<'  polarity  strategy  niaintfiins  this  complete¬ 
ness. 

We  use  an  a.ssociat ive-commutative  uuilication  algorithm  (as  in  Stiekc'l  [81])  so  that  the  Jia- 
.sociative  and  commutative  properties  of  .such  operators  as  adtlitiou  and  conjunction  can  be  taken 
into  account  in  finding  a  unifier;  thus,  p(^/{x)  +  (fc  +  y(«)))  can  be  iiuilied  with  />(('/(//)  +  f(b))  +i). 

We  have  introduced  two  additional  rules  to  give  siurial  treatment  t«)  e(iualily  and  other  im¬ 
portant  r<  lations  (Manna  and  Waldiuger  [85]),  but  these  rules  i>lay  no  part  in  the  portion  of  the 
derivation  to  be  discusse<l. 

W<-  shall  need  the  induction  ruh;;  this  we  describe  next. 


THE  MATHEMATICAL  INDUCTION  RULE 

The  ruh's  pres<'nted  so  far  do  u()t  allow  us  to  introduce  any  repetitive  construct  into  the 
program  being  <l<'riv<'d.  The  induct  ion  rule  accounts  for  I  he  int  riMiuet  ion  of  recursion  in  t  he  derivi'd 
program.  W<' <’mj)loy  a  single  well-Ibnmh’d  induction  rnh’,  which  applies  l,<»  a  variety  of  tIuHU'U'S. 

A  well-founded  relation  is  tuu'  that  admits  no  infinite  decreasing  se<iuenc<'s,  i.<'.,  s(;«pu'iues 

Xi  >-«,  X2  and  >-,„  I3  and .... 

For  inst.nice,  the  less-lhaii  relation  <  is  well-foun<U'<l  in  tin;  tln'ory  of  noniu'gative  intt'gers,  but 
not  in  l  h('  theory  of  real  numbers. 


'' 


The  version  of  Hk?  well-foinule<l  induction  rule  w<;  need  for  the  d<'rivati<’n  is  expressed  iis  follows 
(tli<'  genend  version  is  more  complex): 

Suppose  our  initial  tableau  is 


In  ollu  r  words,  we  ar<'  att('nip(  ing  to  const  nu  t  a  program  /  that,  for  an  arbitrary  input  a,  yields 
an  output  z  satisfying  the  input-outp\it  cotulition 

«/  PH 

then  ^(«,  2]. 

A(<-ording  to  tlu'  well-founded  induction  rule,  we  may  j)r(m'  this  assuming  as  our  iinhiction  hy- 
{)othesis  that  tin*  {)rogram  /  will  yi<'ld  an  output  /(x)  satisfying  the  same  input-output  condition 

if  P[A 

tU,;n  R[x,  fix)], 

providerl  that  x  is  less  than  a  with  respect  to  some  well-founded  relation  that  is,  x  -<„  a.  In 
otlu'r  words,  w(>  may  add  to  our  tableau  the  new  assertion 


if  X  <y,  a 

then  if  P[x\ 

then  Z[x,  /(x)] 


The  well-founded  relation  used  in  th<'  induction  nile  is  arbitrary  and  must  be  s<>lected  laU'r  in 
the  proof. 

Kor  <'xanipie,  consi(h’r  the  initial  tableau  obtained  fn>m  I  he  square-root  specification: 


<iss<'rtioiis 


0  <  r  and  0  <  r 


2^  <r  and 
not  [(2  -be)*  <  r] 


lly  a)>|>lication  of  the  well-foiuuh'd  induction  rule,  we  may  iniroduce  as  a  new  lUssrTtion  I  In*  ituluc- 
tion  hypothesis 


if  (x,  v)  ■<. 
then  if  0  < 

m  {r,  () 

X  and  0  <  V 

then 

[s</rf(i,  t>)]*  <  X  and 
not  ([sf/r<(x,  11)  f  <  x) 
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In  other  words,  we  may  assume  induetively  that  the  output  of  the  scpiaro-root  proKram  wc  construct 
will  satisfy  the  input-otitput  condition  fur  inputs  x  and  v  that  are  h'ss  than  the  given  inputs  r  and 
(.  with  respect  to  some  well-founded  relation 

Us<'  of  the  induction  hypothesis  in  the  proof  may  account  for  the  introduction  of  a  rectirsive 
call  into  the  (huived  j)rograni.  For  exainpU',  suppose  that  in  the  scpuire-root  derivation  we  manage 
to  dc'Vi'lop  a  goiil  of  form 


The  boxed  suhsontcuicrs  of  this  goal  and  the  induction  hypothesis  are  imiiiirhle;  a  most-general 
unifier  is 


0  :  {x  V  6,  z  *—  H(jrt{3,  5)}. 

Therefori',  we  can  apply  the  resolution  rule  to  obtain  the  new  goal 


This  goal  r<-<luces  under  transformation  to 


Note  tliat  a  recursive  call  sqrt(3,  h;is  been  intnxluced  into  the  outjnit  entry  as  a  result  of 
this  step.  The  condition  (0  <  a  and  0  <  /►)  in  the  goal  c'lisures  the  legality  of  the  arguments  a  and 
6,  i.e.,  that  they  satisfy  I  he  input  condition  of  the  desired  pr()grain.  The  condition  {s,  h)  -<„  (r,  <) 
ensiires  that  the  evaliialion  of  th('  recursive  call  cannot  lea<l  to  a  iiont«'rniinating  <-omputation.  (If 
tJiere  were  an  infinite  comj>iitation,  we  could  c«nistrnct  a  <  orres[)oniling  infinite  seqiu'iice  of  i)air8 
of  arguiiK'iils  decreasing  with  n’spect  to  thus  contradicting  th«'  delinitijui  of  a  w«‘ll-foumh!<l 
r<'lation.) 

Tlu’  part.icidar  w«'ll-fo.unded  relation  -<„  nTerred  to  in  the  induction  hypotlwsis  is  iu»t  y«*t 
sp«>cilied;  it  is  selected  at  a  iat«T  st.age  of  the  proof.  If  w«'  allow  w«’ll-founded  relations  to  be  objexts 
in  our  <loinain,  we  may  n'gard  the  8<’ntencc  x  y  as  an  abbreviation  for  ■<(»»,  x,  y);  thus,  w 
is  a  variabh’  t  hat  may  lu*  instantiated  to  a  ]>articular  relation.  We  <ussuiiie  that  the  properti<*8  of 
nmny  known  w«’lI-foun<h'd  r<'lations  (such  jw  <iTcri  fix’  F>f<dx'r-subl re«’  ndation  over  trc<?8)  and  of 
functions  for  combining  them  are  among  the  iisaertions  of  oiir  initial  tableau. 

We  haver  given  tlu'  simplest  version  of  the  induction  rule,  which  is  applieel  only  to  the  initial 
rows  of  the  tableau;  in  its  ge-neral  version,  we  may  apply  th«r  rule  to  any  of  l.he  rows,  and  we  nuqr 
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strongt'ien  or  goueriilizc  tlic  rows  to  whi<h  the  rule  is  appliecl.  In  this  more  g<’noral  version,  the 
nilo  accounts  for  tlu;  introduction  of  auxiliary  subprograms  into  the  program  being  coiistructed. 
We  shall  avoid  discussion  of  auxiliary  subprograms  here. 

We  are  now  ready  to  present  the  most  iiit.er<!sting  segment  of  the  derivation  of  the  s<iuare-root 
program. 


THE  DERIVATION 

Recall  that,  in  the  theory  of  real  numbers,  tln'  si)ecification  for  the  real-nninher  sqiian*-roo(  program 
is 

S(irl[r,  c)  find  2  such  that 

2^  <  r  and  not  [(z -t- e)^  <  r], 
where  0  <  r  and  0  <  e. 

Lj  other  words,  we  want  to  find  an  estimate  z  that  is  within  a  tolerance  r  less  than  v/r,  th<;  exact 
scpiare  root  of  r,  wh<?re  wo  may  assume  that  r  is  nonnegativ<'  and  t  is  positive. 

We  begin  accordingly  witli  the  tabl«*au 


Jissortions 


0  <  r  and  0  <  c 


2.  z^  <  r  and  not  \{z  +  c)*  <  r] 


The  assertion  and  goal  of  this  tabh'au  are  tin*  input  and  output  conditions,  respectivt'ly,  «>f  the 
given  sju'cification;  tin;  out[)ut  «'ntry  of  the  go.J  is  the  output  variable  of  the  program. 


THE  DISCOVERY  OF  DINARY  SEARCH 

W<’  an’  about  to  aj)p!y  tin'  resolution  nih;  to  goid  2  and  itself.  To  make  this  stej)  ofisier  to 
understand,  h’t  us  write  allot  her  co[)y  of  goal  2. 


2'.  <  r  and  not 

i 

W<’  have  renamed  the  variable  of  the  swond  copy  of  tin?  goal,  so  that  the  two  copies  have  no 
variables  in  coininoii. 

The  boxed  subsentencos  of  the  two  co{)ie.s  of  the  goal  arc  iinifiabh’;  a  most-general  unifier  is 
0:  {z^i  +  c}. 

Then’fore,  we  can  apply  the  resolut  ion  riih’  hi’tween  tlie  two  I’opic'S  of  goal  2  to  obtain 


By  fippliciitiou  of  traiisfonual  ion  nilos,  iiichtding  the  rule 


u  +  u  — *  2u, 


tliis  goal  c;ui  ho  rotlucod  to 


(Wo  have  n'ordcrod  tho  conjunct!*  for  pedagogical  nvitiona  only;  b»H:au3<!  we  use  as30ciative-com- 
niutativ*'  unification,  tlu'ir  actual  order  is  irrelevant.) 


According  to  goal  .“I,  it  !<nflicos  to  find  a  rougher  estimate  i,  which  is  within  a  tolerance  2f  less 
than  0",  the  exact  s<piare  root  of  r.  For  then  either  z  +  <  or  z  it.s<>lf  will  be  within  r  h'ss  than  y/f, 
<lepending  on  whether  or  not  i  + 1  is  less  than  or  e<iual  to  >/r.  Tin?  two  possibilities  an?  illustrated 
below: 


Case;  z  +  (  <  y/f  C<vse;  not  (i  +  t  <  y/r  \ 

Coal  3  contains  tin'  essential  idea  of  binary  warch  fis  applied  to  the  sqtiare-root  problem. 
Allbongli  the  i<lea  se«'ms  stibtle  to  us,  it  apf>ears  almost  immediately  in  the  (h'rivalion.  The  step 
is  in’arly  inevitable:  any  briit<'-h>rce  s<'arch  proce<Iure  woidd  tli.scover  it. 

Tin'  derivation  of  goal  3  is  logically  strmghtforward,  but  the  intuit  ion  bi'liind  it  may  be  a  bit 
luysli'rious.  h<'t  us  paraphrase  tin'  reaseming  in  a  iiion'  gcnunetric  way.  Our  initial  goal  2  expres-ses 
that  it  sullices  t*»  Uml  a  real  innnin'r  z  such  that  y/r  belongs  to  the  half-open  interval  [^,  z  + 1). 
Our  rewritti'ii  goal  2'  <'xpn's.s<!s  that  it  is  e<iually  jM-ceptabh'  to  timl  a  r('al  numix'r  z  smh  that 
behings  to  the  half-open  interval  (i,  i  t-  <)•  We  shall  b«'  conb'iil.  to  achi«'V«'  I'ither  of  these  goals; 
i.<'.,  w<'  shall  b«'  happy  if  y/r  belongs  to  c'itlier  of  tin'  two  half-open  intervals.  In  taking  z  to  be 
c  -I  <.  W('  ar«'  coiicateiiatiiig  tin'  two  intervals,  obtaining  a  in'W  half-opi'u  interval  (c,  z  I-  2»)  twice 
the  h'ligth  of  tin'  original.  It  .sullici's  to  liinl  a  real  iniinix'r  z  such  I  hat  y/r  belongs  to  this  in'W, 
long*'!-  int<'rval,  Ixx  au.s*'  tln'ii  y/r  inu.st  Ix'long  to  oin'  or  tin'  ollx'r  of  I  In'  two  sinalU'r  ones. 


INTRODUCTION  OF  THE  RECURSIVE  CALLS 

Let  us  continue  the  derivation  one  more  step.  By  the  w«'ll-f<xind('d  induction  rule,  we  may 
introduce  the  induction  hypothesis 


In  other  words,  we  assume  inductiv<'ly  tliat  the  output  »iirt.(x,  v)  of  the  program  will  satisfy  the 
input-output  condition  for  .uiy  inputs  x  and  v  siu  h  that  (x,  v)  (r,  <).  The  boxed  sul)s<'utencc8 
of  goal  3  and  the  induction  hypothesis  are  unitiable;  a  niost-geneiiU  uiiiKer  is 


0  :  {x  *—  r,  V  *-  2c,  z  *—  niirt(r,  2c)}. 


We  obtain  (after  true-false  Iransforumtion) 


Note  that  at  this  point  three  recursive  calls  ftqrt(r,  2c)  have  btx'ii  introduced  into  the  output 
entry.  The  comlition  (0  <  r  and  0  <  2c)  ensurc's  that  the  argumciits  r  and  2c  of  these*  recuirsive 
calls  will  satisfy  the  input  condition  for  the  program,  that  r  is  nomu'gative  and  2»  is  positive. 
The  condition  {r,  2<)  (r,  c)  ensures  that  the  newly  introduced  recursive  calls  cannot  lead  to 

a  nontenninating  computation.  Th<>  well-founded  rc'lation  -<„  that  sc'rvt's  as  the  biisis  for  the 
induction  is  as  yet  unspecified. 

We  omit  those  |)ortions  of  the*  derivation  that  .wcount  for  the*  intro<hu  ti«)n  of  the*  base  case 
and  the  choice  of  the  w<?ll-founde<l  relation.  The  final  program  we  obtain  is 

<)  «=  if  <  <  max{r,  1) 

then  if  [.••c/rt(r,  2c)  cj^  <  r 
then  2c)  -t-  c 

else  s<irt{r,  2c) 
else  0. 

A  few  words  on  t  his  program  arc;  in  order. 


DISCUSSION  OF  THE  PROGRAM 

The  program  first  checks  whelluT  the  error  toh'rance  i  is  n'asonably  small.  If  c  is  vi'ry  big, 
that  is,  if  7nax(r,  1)  <  c,  tln'U  the  output  can  safely  be  taken  to  be  (J.  l''<»r,  because*  0  <  r,  we  have 

0*  <  r. 

And  b(x*ause  mcix(r,  1)  <  c,  we  have;  r  <  c  and  1  <  c,  and  hence  r  <  c*  -  that  is, 
not  [(()  d-  e)’  <  r]. 


Thus,  0  satisfies  both  conjuncts  of  the  output  condition  in  tliis  c.^se. 

If  c  is  small,  that  is,  e  <  mai(r,  1),  the  program  finds  a  rougher  estimate  s<}rt{r,  2(),  which  is 
within  2c  less  than  y/r.  The  program  asks  whether  increasing  this  ('stimate  by  i  will  leave  it  loss 
than  y/'r.  If  so,  the  rough  estimate  is  increased  by  t;  if  not,  the  rough  estimate  is  already  close 
enough. 

The  termination  of  the  program  is  a  bit  probhunatic,  b('cause  the  argument  c  is  douhh'd  with 
each  rei  ursive  call.  However,  the  argument  r  is  uiichauge<l  and  recursive  calls  ar<'  evaluated  only  in 
the  case  in  which  c  <  max(r,  1),  so  there  is  a  uniform  upper  bouml  on  l.lu'se  increasing  arguments. 
More  pn-cisely,  the  well-found<'d  relatirm  selec(«>d  in  the  proof  is  one  such  that 

(x,  2y)  (x,  y), 

provich'd  that  0  <  y  <  max(r,  1). 

If  tlu'  multiple  occurrences  of  the  recursive  call  .•<//r<(r,  2f)  are  combiiu'd  by  ('liniinating  com¬ 
mon  subexi)ressions,  the  program  we  obtain  is  rea.sonably  ellicient;  it  ('('(luirc'S  \l(iij2{inax{r,  l)/c)l 
recursive  calls. 

Our  final  program  is  somewhat  different  from  the  it<'rative  program  we  considered  iti  the 
Ix-ginniug.  The  iterative  program  <livi<les  an  interval  in  half  at  each  iteration;  the  recursive  program 
doubles  an  interval  with  <'ach  recursive  call.  Division  of  the  inter  val  in  half  occurs  implicitly  as  the 
nx  ursive  program  unwinds,  i.e.,  when  the  nrursive  calls  yield  output  values. 

It  is  possible  to  obtain  a  version  of  the  iterative'  program  by  formal  (h'rivation  within  the 
dediii  l ive-tableau  system.  Although  the  derivation  and  the  resulting  program  are  more  comphrx 
(it  requires  two  additional  inputs),  it  w<vs  this  (h'rivation  we  discov('red  first,  lu'canse  w<'  W('re 
already  familiar  with  tin'  iterative  program. 

We  first  found  the  recursive  program  in  examining  tlu'  c(»n.s('<|uences  of  purely  formal  derivation 
stejis,  not  feecause  we  expecti'd  them  to  h'ad  to  a  program  but  because'  we'  were'  loe>kiug  for  strate'gic 
considerations  that  would  rule'  them  out.  When  we  examiiu'd  the'  program  initially,  we'  suspe'cte'd 
an  error  m  the  derivation.  We'  lead  not  se'e'ii  programs  of  this  form  before,  and  we'  ce'rlainly  would 
not  have  constructed  this  one'  by  informal  iiu'aiis. 


ANALOGOUS  ALGORITHMS 

Many  binary-scare  h  algeirithms  have'  been  eh'i  ived  in  an  analogous  way.  Let  us  first  conside'r  some* 
otfier  real-numerical  problems. 


REAL-NUMDER  ALGORITHMS 

Suppose'  a  program  to  ix'rform  re'al-nurnlx'r  division  is  specified  as  follows: 

div{r,  s,  e )  find  z  such  that 

2  ■  »  <  r  and  not  [(x  +  e )  •  a  <  r] 
where  0  <  r  nnd  0  <  .s  and  0  <  t. 


Ill  other  words,  the  program  is  reipiired  to  yield  a  real  nnniber  z  that  is  within  a  tolerance  f  less 
than  r/.s,  the  exact  quotient  of  dividing  r  by  s.  We  obtain  the  program 

div{r,  s,  e)  <=  if  c  •  f  <  r 

then  if  [tit«{r,  s,  2f  )  +  f]  •  a  <  r 
then  div{r,  a,  2c)  +  t 
else  div(r,  a,  2c) 
else  0. 

The  rational!'  for  this  program,  like  its  derivation,  is  analogous  to  that  for  the  rocal-number 
sejnare  root.  Thi*  program  llr.st  checks  wlu'tlu'r  the  error  tolerance  is  reasonably  small,  that  is,  if 
f  a  <  r.  If  c  is  very  big,  that  is,  if  r  <  c  •  a,  then  the  output  c.ui  be  takc'ii  safely  to  be  0.  For 
b<'cause  0  <  r,  w('  have 

0  •  a  <  r. 

And  Ix'cause  r  <  c  •  a,  wo  have  r  <  (0  +  c)  •  a,  that  is, 
not  [{()  +  c)  •  a  <  r] . 

Thus,  0  satisfies  both  conjuncts  of  the  output  condition  in  this  case. 

On  the  otln  r  hand,  if  <  is  small,  that  is.  if  t  •  a  <  r,  the  lu-ograin  finds  a  rougher  twtimatc 
div(r,  a.  2<).  which  is  within  2f  less  than  r/a..  The  program  considers  whether  ii  creasing  this 
«'stimat<'  by  (  will  h'ave  it  less  than  r/a.  If  so,  the  rough  I'stimate  may  be  increaiMHl  by  c;  if  not, 
the  rough  eslimat<?  is  already  close'  enough. 

The  termination  proof  for  this  jirograin  is  also  analogous  to  that  for  the  scpiare  root.  Although 
111!'  argtmn'iil  e  is  <lonble<l  wiUi  e.uh  n'cnrsive  cidl,  th«'  other  .•u'gniin’nls  are  unchangi'd  anil  the 
(•alls  ar«'  evalnati'd  «>nly  in  tin'  ciuse  in  which  c  •  a  <  r,  that  is,  <  <  r/a.  Thus,  there  is  a  nniforin 
iqipt'r  bound  on  the  donbh'd  argument. 

It  may  be  ch'ar  from  the  above  discussion  that  tlu're  is  little  in  the  dc'rivations  for  the  sejunre- 
root  ami  division  jirograms  that  ch'pemls  on  the  properties  of  thi'se  funct  ions.  More  or  less  the  same 
di'rivation  sulli<-es  to  find  an  aiiproxiinate  .solution  to  an  arbitrary  n'al-mimber  ('<iuatM»n  f{z)  =  r. 

For  a  given  computable  rnnctioii  /,  we  c«nisider  t.lu'  spt'cilicatioii 

.s/»lt;c(r,  ( )  <=  find  z  such  that 

/(z)  <  r  and  not  [/(^  +  »)  <  r] 

where  /(«)  <  r  and  (/(«)  <  r)] 

Ih're  a  and  h  are  firiiuitive  constants  and  «  is  a  variable.  In  otluT  words,  we  .•msume  that  there 
<'xist  ri'al  nninlu'rs  «  ami  b  sm  h  that  /(a)  <  r  and  /(«)  >  r  for  every  real  u  greater  than  b.  The 
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specification  is  illustrated  iis  follows: 

fM 


u 

a  z  z+e  b 

Note  that  we  do  not  need  to  assume  /  is  incrciwing  or  even  continuous;  if  /  is  not  continuous, 
an  exact  solution  to  the  equation  /(a)  =  r  «oe<l  not  exist,  but  only  an  approximate  solution  is 
reqtnred  by  the  specification. 

The  program  w<'  obtain  is 

}<ulve{r,  t)  <=  if  a  +  €  <  b 

then  if  f(solve(r,  2c)  +  t)  <  r 
then  .so/we(r,  2c)  +  e 
else  sotve(r,  2c) 
else  a. 

In  the  recursive  c<ase,  in  which  a  +  c  <  6,  . the  program  is  so  closely  analogous  to  the  previous 
binary-sean  h  programs  iis  to  recpiire  no  further  explanation.  In  the  base  case,  in  which  h  <  a  +  e, 
the  outi)tit  ciui  sMifely  be  taken  to  be  a.  For,  by  our  input  condition,  we  have 

/(«)  <  »■ 

and  (again  l)y  our  input  condition,  In-ciiusc  b  <  a  +  c) 
not  [/(«  +  c)  <  r]. 

Thus,  a  satisfies  both  conjuncts  of  the  output  condition  in  this  case. 

The  ab(»v«'  j>rogram  may  be  rc'garded  as  a  schema,  lux  juisc?  we  may  lake  the  symbol  /  to 
b<<  any  i>rimitive  function  symbol.  An  even  more  general  binary-search  program  schema  cmi  be 
d<Tive<l  from  tiu'  spe<  ification 

s(:nrch{r,  i)  <=  find  z  .stich  that 

p(r,  z)  nnd  notp{r,  s  -l-c) 

wl,m.  md 

where  p  is  a  i>rimitivc  relation  symbol  and  a  aitd  6  are  ]>rimitive  constants.  We  obtain  the  schema 

scarch{r,  c)  <=  if  a  +  c  <  b 

then  if  7<(r,  .search  (r,  2f)-t-c) 
then  search(r,  2<)  -t-  c 
else  .scarch(r,  2<.) 
else  a. 


INTEGER  ALGORITHMS 


The  programs  we  have  discussed  apply  to  the  noiiuegative  real  numbers;  using  the  same 
approach,  wo  have  derived  analogous  programs  that  apply  to  the  nonnogative  integers.  These 
derivations  retpiire  a  generalization  stej)  in  applying  the  induction  rule.  We  have  avoided  presenting 
g('iu'ralization  and  the  conconiitant  introduction  of  auxiliary  programs  in  tliis  paper,  but  we  give 
some  results  of  tlu'se  derivations  here. 


Integer  square  root 

The  integer  square-root  program  is  intended  to  find  the  integer  part  of  ^/n,  the  real  s(iuare 
root  of  a  nonnegative  integer  n.  It  can  be  specificul  in  the  tluxiry  of  noniiegative  integers  as  follows: 

.sqrt{n)  find  2  such  that 

2^  <  n  and  Tiot[(2  +  1)*  <  n]. 

In  other  words,  the  program  must  yichl  a  noniiegative  integer  2  that  is  within  1  less  than  ^/n. 

In  the  course  of  the  derivation,  we  art'  led  to  introduce  mi  auxiliary  program  to  meet  the  more 
general  specification 

»qrt2{n,  i)  ^  find  2  such  that 

2^  <  n  and  not  [(z  -b  *)^  <  n] 

where  0  <  1. 

In  other  wortls,  we  wish  to  find  a  nonnegative  integer  2  that  is  within  i  h'ss  than  \/n.  This  auxiliary 
specification  is  precisely  analogous  to  the  real-number  squ.ire-root  specification,  with  i  jilaying  the 
role  of  the  error  toleivuico  c. 

The  programs  we  obtain  to  meet  these  spixilications  iuro 
}<qrt(n)  <=  .'^qrl.2{n,  1), 


where 


Kqrt2{n,  t)  if  i  ^  n 

then  if  [:*qrt2{ri,  2i)  -!-»]*  <  n 
then  .'<qrl2{n,  2i)  -b  i 
elite  f<qrt2{n,  2i) 
elite  0. 


Integer  quotient 

The  integi'r  ijuotient  program  can  be  spei’ified  similarly; 


qui>t(rn,  n)  <= 
where  0  <  n. 


find  2  such  that 

2  •  ri  <  m  and  not  [(2  I  1)  •  n  <  m] 


•  ‘--.■'•a-  .v'J’ 
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In  other  words,  wc  wish  to  find  a  nonnegative  integer  z  that  is  within  I  less  than  m/n,  the  rcal- 
nunibcT  quotient  of  m  and  n. 

In  the  rourse  of  the  derivation,  we  are  led  to  introduce  an  auxiliary  program  to  meet  the  more 
general  s^.  .xification 

<luotZ(m,  n,  i)  ^  fiml  z  such  that 

z  •  n  <  m  and  not[(2  +  t)  •  n  <  m] 
where  0  <  n  and  0  <  i. 

In  other  words,  wc  wish  to  find  a  nonnegative  integer  z  that  is  within  i  loss  than  m/n. 

The  programs  obtained  to  meet  these  specifications  are 

quot{rn,  Ti)  <=  quoto{m,  n,  1) 


where 


quotZ(m,  n,  i)  ■<=  if  i  ■  n  <  m 

then  if  [quotZ(Tn,  n,  2i)  +  i]  •  n  <  m 
then  quotZ(jn,  n,  2t)  +  i 
else  quotZ[rn,  n,  2») 
else  0. 

The  derivation  is  again  analogous. 


DISCUSSION 


Tlie  (hnivations  were  first  discovc'rcd  manually;  the  real-number  s<iuare-root  derivation  Wiis 
sub.se<|iiently  reproduced  by  Yellin  in  mi  interactive  jnograni-synUn'sis  systi'in.  The  only  automatic 
iniph-nienlation  of  the  sy.stem  (.Riissi'll  [83])  is  unable  to  construct  the  di-rival  ion  for  a  simple  reason: 
it  iK'ver  attemjits  to  apply  the  re.solution  rule  to  a  goal  and  it.sclf. 

The  results  of  this  investigation  run  counter  to  our  usual  experience.  It  is  common  for  a  bit  of 
reasoning  that  .si'eiiis  simple  and  intuitively  straightforward  to  turn  out  to  b(>  dillicult  to  rormali/.c 
and  mori’  dillicnll  still  to  diqilicate  automatically.  Here  the  opi>osit«'  is  Irui':  an  idea  that  requires 
a  substantial  lea])  of  human  ingi'iiuity  to  discover  is  captured  mechanically  in  a  few  e;usy  formal 
steps. 
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